Skip to content

Commit

Permalink
MAISTRA-2411 Create NetworkPolicy for additional ingress gateways
Browse files Browse the repository at this point in the history
  • Loading branch information
@dgn
dgn committed Aug 9, 2021
1 parent cdb87b4 commit b9695ff
Show file tree
Hide file tree
Showing 5 changed files with 127 additions and 17 deletions.
7 changes: 7 additions & 0 deletions pkg/controller/servicemesh/controlplane/common_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ type IntegrationTestValidation struct {
type IntegrationTestCase struct {
name string
smcp runtime.Object
versions []string
resources []runtime.Object
create IntegrationTestValidation
delete IntegrationTestValidation
Expand Down Expand Up @@ -114,6 +115,12 @@ func RunSimpleInstallTest(t *testing.T, testCases []IntegrationTestCase) {
}
}

func New21SMCPResource(name, namespace string, spec *v2.ControlPlaneSpec) *v2.ServiceMeshControlPlane {
smcp := NewV2SMCPResource(name, namespace, spec)
smcp.Spec.Version = versions.V2_1.String()
return smcp
}

func New20SMCPResource(name, namespace string, spec *v2.ControlPlaneSpec) *v2.ServiceMeshControlPlane {
smcp := NewV2SMCPResource(name, namespace, spec)
smcp.Spec.Version = versions.V2_0.String()
Expand Down
119 changes: 111 additions & 8 deletions pkg/controller/servicemesh/controlplane/gateways_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ func TestAdditionalIngressGatewayInstall(t *testing.T) {
}),
create: IntegrationTestValidation{
Verifier: VerifyActions(
Verify("create").On("deployments").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(ExpectedDefaultLabelGatewayCreate("istio-ingressgateway."+controlPlaneNamespace)),
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(ExpectedDefaultLabelGatewayCreate(additionalGatewayName+"."+controlPlaneNamespace)),
Verify("create").On("deployments").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(ExpectedLabelGatewayCreate("maistra.io/gateway", "istio-ingressgateway."+controlPlaneNamespace)),
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(ExpectedLabelGatewayCreate("maistra.io/gateway", additionalGatewayName+"."+controlPlaneNamespace)),
),
Assertions: ActionAssertions{},
},
Expand Down Expand Up @@ -75,7 +75,7 @@ func TestAdditionalIngressGatewayInstall(t *testing.T) {
}),
create: IntegrationTestValidation{
Verifier: ActionVerifier(
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(ExpectedDefaultLabelGatewayCreate(additionalGatewayName+"."+controlPlaneNamespace)),
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(ExpectedLabelGatewayCreate("maistra.io/gateway", additionalGatewayName+"."+controlPlaneNamespace)),
),
Assertions: ActionAssertions{},
},
Expand Down Expand Up @@ -125,21 +125,107 @@ func TestAdditionalIngressGatewayInstall(t *testing.T) {
},
},
},
{
name: "label",
smcp: New20SMCPResource(controlPlaneName, controlPlaneNamespace, &v2.ControlPlaneSpec{
Gateways: &v2.GatewaysConfig{
IngressGateways: map[string]*v2.IngressGatewayConfig{
additionalGatewayName: {
GatewayConfig: v2.GatewayConfig{
Enablement: v2.Enablement{
Enabled: &enabled,
},
Service: v2.GatewayServiceConfig{
Metadata: &v2.MetadataConfig{
Labels: map[string]string{
"test": "test",
},
},
},
Namespace: controlPlaneNamespace,
},
},
},
},
}),
create: IntegrationTestValidation{
Verifier: VerifyActions(
Verify("create").On("networkpolicies").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(
ExpectedLabelMatchedByNetworkPolicy("istio", "ingressgateway"),
),
Verify("create").On("networkpolicies").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
ExpectedLabelMatchedByNetworkPolicy("test", "test"),
),
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
ExpectedLabelGatewayCreate("test", "test"),
),
),
Assertions: ActionAssertions{},
},
delete: IntegrationTestValidation{
Assertions: ActionAssertions{
Assert("delete").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).IsSeen(),
},
},
},
{
name: "label-2.1",
smcp: New21SMCPResource(controlPlaneName, controlPlaneNamespace, &v2.ControlPlaneSpec{
Gateways: &v2.GatewaysConfig{
IngressGateways: map[string]*v2.IngressGatewayConfig{
additionalGatewayName: {
GatewayConfig: v2.GatewayConfig{
Enablement: v2.Enablement{
Enabled: &enabled,
},
Service: v2.GatewayServiceConfig{
Metadata: &v2.MetadataConfig{
Labels: map[string]string{
"test": "test",
},
},
},
Namespace: controlPlaneNamespace,
},
},
},
},
}),
create: IntegrationTestValidation{
Verifier: VerifyActions(
Verify("create").On("networkpolicies").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(
ExpectedLabelMatchedByNetworkPolicy("istio", "ingressgateway"),
),
Verify("create").On("networkpolicies").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
ExpectedLabelMatchedByNetworkPolicy("test", "test"),
),
Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
ExpectedLabelGatewayCreate("test", "test"),
),
),
Assertions: ActionAssertions{},
},
delete: IntegrationTestValidation{
Assertions: ActionAssertions{
Assert("delete").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).IsSeen(),
},
},
},
}
RunSimpleInstallTest(t, testCases)
}

func ExpectedDefaultLabelGatewayCreate(expected string) func(action clienttesting.Action) error {
func ExpectedLabelGatewayCreate(labelName string, expectedValue string) func(action clienttesting.Action) error {
return func(action clienttesting.Action) error {
createAction := action.(clienttesting.CreateAction)
obj := createAction.GetObject()
gateway := obj.(*unstructured.Unstructured)
if val, ok := common.GetLabel(gateway, "maistra.io/gateway"); ok {
if val != expected {
return fmt.Errorf("expected maistra.io/gateway label to be %s, got %s", expected, val)
if val, ok := common.GetLabel(gateway, labelName); ok {
if val != expectedValue {
return fmt.Errorf("expected %s label to be %s, got %s", labelName, expectedValue, val)
}
} else {
return fmt.Errorf("gateway should have maistra.io/gateway label defined")
return fmt.Errorf("gateway should have %s label defined", labelName)
}
return nil
}
Expand All @@ -154,3 +240,20 @@ func ExpectedExternalGatewayCreate(action clienttesting.Action) error {
}
return nil
}

func ExpectedLabelMatchedByNetworkPolicy(labelName string, expectedValue string) func(action clienttesting.Action) error {
return func(action clienttesting.Action) error {
createAction := action.(clienttesting.CreateAction)
obj := createAction.GetObject()
networkPolicy := obj.(*unstructured.Unstructured)
if val, found, err := unstructured.NestedString(networkPolicy.Object, "spec", "podSelector", "matchLabels", labelName); err == nil {
if !found || val != expectedValue {
return fmt.Errorf("expected %s label to be matched against value %s, but didn't", labelName, expectedValue)
}
} else if err != nil {
return err
}

return nil
}
}
6 changes: 3 additions & 3 deletions resources/helm/overlays/gateways/istio-ingress/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,20 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "istio-ingressgateway"
name: {{ $gateway.name }}
{{- if not $gateway.namespace }}
namespace: {{ .Release.Namespace }}
{{- else }}
namespace: {{ $gateway.namespace }}
{{- end }}
labels:
app: {{ index .Values "gateways" "istio-ingressgateway" "labels" "istio" }}
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
annotations:
"maistra.io/internal": "true"
spec:
podSelector:
matchLabels:
istio: ingressgateway
{{ $gateway.labels | toYaml | indent 6 }}
ingress:
- {}
6 changes: 3 additions & 3 deletions resources/helm/v2.0/gateways/istio-ingress/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "istio-ingressgateway"
name: {{ $gateway.name }}
{{- if not $gateway.namespace }}
namespace: {{ $gateway.namespace | default .Release.Namespace }}
{{- else }}
namespace: {{ $gateway.namespace | default .Release.Namespace }}
{{- end }}
labels:
maistra-version: "2.0.6.2"
app: {{ index .Values "gateways" "istio-ingressgateway" "labels" "istio" }}
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
annotations:
"maistra.io/internal": "true"
spec:
podSelector:
matchLabels:
istio: ingressgateway
{{ $gateway.labels | toYaml | indent 6 }}
ingress:
- {}
6 changes: 3 additions & 3 deletions resources/helm/v2.1/gateways/istio-ingress/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: "istio-ingressgateway"
name: {{ $gateway.name }}
{{- if not $gateway.namespace }}
namespace: {{ $gateway.namespace | default .Release.Namespace }}
{{- else }}
namespace: {{ $gateway.namespace | default .Release.Namespace }}
{{- end }}
labels:
maistra-version: "2.1.0"
app: {{ index .Values "gateways" "istio-ingressgateway" "labels" "istio" }}
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
annotations:
"maistra.io/internal": "true"
spec:
podSelector:
matchLabels:
istio: ingressgateway
{{ $gateway.labels | toYaml | indent 6 }}
ingress:
- {}

0 comments on commit b9695ff

Please sign in to comment.